An employee who reused his or her work password on another site which was then hacked has been blamed for the spam sent to members.
The hackers used the password to raid the employee's online locker, and found a document containing email addresses registered with Dropbox accounts.
About a fortnight ago, customers began to complain about a number of spam emails about gambling sites being sent to email addresses that were used exclusively with their Dropbox accounts.
Dropbox said in a statement: “Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts.
“A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.
“At the same time, we strongly recommend you improve your online safety by setting a unique password for each website you use. Though it’s easy to reuse the same password on different websites, this means if any one site is compromised, all your accounts are at risk.”